Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: JWT allowed skew is not documented #3783

Open
steve-chavez opened this issue Nov 15, 2024 · 1 comment
Open

docs: JWT allowed skew is not documented #3783

steve-chavez opened this issue Nov 15, 2024 · 1 comment
Labels
docs Only related to documentation

Comments

@steve-chavez
Copy link
Member

Problem

We allow a 30 second skew when doing JWT exp validation:

postgrest/src/PostgREST/Auth.hs

Line 85 in f3aa00a

allowedSkewSeconds = 30 :: Int64

But this isn't documented anywhere.
@steve-chavez steve-chavez added the docs Only related to documentation label Nov 15, 2024
@steve-chavez steve-chavez changed the title docs: clock skew is not documented docs: JWT allowed skew is not documented Nov 15, 2024
@taimoorzaeem
Copy link
Collaborator

We also validate iat and nbf claims which are not documented anywhere.

postgrest/src/PostgREST/Auth.hs

Lines 96 to 104 in 3f78615

failedNbfClaim :: KM.KeyMap JSON.Value -> Bool
failedNbfClaim mclaims = case KM.lookup "nbf" mclaims of
Just (JSON.Number secs) -> now < (sciToInt secs - allowedSkewSeconds)
_ -> False
failedIatClaim :: KM.KeyMap JSON.Value -> Bool
failedIatClaim mclaims = case KM.lookup "iat" mclaims of
Just (JSON.Number secs) -> now < (sciToInt secs - allowedSkewSeconds)
_ -> False

I think the skew and all claims should be documented in auth.html#jwt-claims-validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Only related to documentation
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steve-chavez @taimoorzaeem